From January through December of 2019, the number of Phishing URLs grew by an unprecedented 640%.
The report is curated by several teams of analysts who sift through the onslaught of data brought in by their enormous network of online sensors – over 95 million of them.
Covering over 78 million end users, 842 million domains, 37 billion URLS, 4 billion IP addresses, 36 billion file behaviour records and 31 million active mobile apps, suffice it to say they have a lot of data to deal with.
Regarding malware, over 1.6 million new malware apps were discovered each day, up from around 1.37 million during the previous year. That totals almost 600 million new malware apps discovered throughout the year.
Interestingly though, the number of malware infections per computer has actually steadily decreased over the last 3 years. This is due in part to increases in adopting more secure operating systems (Windows 7 is around three times more likely to be infected than Windows 10), but also to the increased adoption of Security Awareness Training. More users are now learning about the dangers of downloading and installing unknown software.
Analysing trends in ransomware attacks highlights the increase in popularity of hackers threatening victims with exposure of stolen information. Also, there has been a systematic shift towards using Ransomware-as-a-Service (RaaS) to attack larger public organisations and SMBs.
Unfortunately, while users are becoming more adept at avoiding malicious software while browsing, there is still an inordinate failure rate with regard to spotting phishing emails, hence their prolific usage.
“These attacks rely heavily on phishing emails to get a toehold in the network. They take advantage of timely topics, such as healthcare enrollment or climate change, to increase the chances someone will click a link and download a Trojan, ransomware, or other malware.”
Phishing campaigns, specifically the URLs commanded the most statistical real estate, with 45% of high-risk URLs discovered being operated by phishers. The increase in phishing URLs means that almost 1/100 (0.96%) sites online are phishing sites. With well over 1,000,000,000 sites online, being able to spot the difference between a real site and a phishing site is a skill that we should all be confident in.
Business Email Compromise (BEC), was noted by the FBI at costing organisations globally just shy of £20,000,000,000 ($26 billion). For those not aware, BEC is when social engineers send fraudulent emails masquerading as higher ranking employees and coerce the victim into moving funds, giving up account details and other nefarious activities. These attacks have risen by 100% over the last year and show no signs of slowing.
The necessity for routine Security Awareness Training was made very apparent:
- Organisations that offered 1-5 security awareness campaigns within 2 months had a propensity for clicking phishing emails (a Click-Prone Rate) of 37%.
- Those who ran 6-10 campaigns within 4 months had a Click-Prone Rate of 28%.
- Those running more than 11 campaigns within 6 months saw a Click-Prone Rate of only 13%
“One of the reasons behind the increased success of regular training is that users must be armed against highly variable, increasingly sophisticated, targeted phishing attacks, especially as these attacks rely heavily on current events and trends.”
In the case of BEC attacks, in which a single employee can accidentally, and in good faith, lose an organisation huge sums of money, Security Awareness Training has a Return On Investment (ROI) unlike any other security product on the market.
Interested to know how many of your users are Click-Prone? Check out our Free Click-Prone® Test and find out now!